Slashdot Mirror

← Back to Stories (view on slashdot.org)

Eavesdropping On Google Voice and Skype

Posted by Soulskill on from the can-i-hear-you-now dept.

Simmons writes with news of research that demonstrated vulnerabilities in Skype and Google Voice that would have allowed attackers to eavesdrop on calls or place unauthorized calls of their own. "The attacks on Google Voice and Skype use different techniques, but essentially they both work because neither service requires a password to access its voicemail system. For the Skype attack to work, the victim would have to be tricked into visiting a malicious Web site within 30 minutes of being logged into Skype. In the Google Voice attack (PDF), the hacker would first need to know the victim's phone number, but Secure Science has devised a way to figure this out using Google Voice's Short Message Service (SMS). Google patched the bugs that enabled Secure Science's attack last week and has now added a password requirement to its voicemail system, the company said in a statement. ... The Skype flaws have not yet been patched, according to James." Reader EricTheGreen contributes related news that eBay may sell Skype back to its original founders.

9 of 62 comments (clear)

  1. Not nearly as interesting as you'd expect by BadAnalogyGuy · · Score: 4, Interesting

    Unlike security vulnerabilities that gain access to your files and keyboard, this only gets access to your phone calls. This means that the hackers would need a very powerful machine to both monitor and save important calls and a means of automating the scanning of calls.

    It's simply not cost effective to listen in on every call. It's much better to gain file or keyboard access and let Perl scan the logs for interesting data.

    1. Re:Not nearly as interesting as you'd expect by Anonymous Coward · · Score: 5, Funny

      Surely it would be trivial to pipe the calls through some voice recognition software? Then do a text search for 'credit card', 'creedal car', and maybe 'cricket Karl'.

  2. Believe it or not by Landak · · Score: 5, Insightful

    Believe it or not, Skype carries the second largest number of international calls in the world, second only to AT&T. With a volume like that, you'd imagine that any potential vulnerability may well find someone interested in applying it, very quickly. Like, for instance, the NSA...

    --
    My UID is prime. Is yours?
    1. Re:Believe it or not by CRCulver · · Score: 5, Interesting

      Skype has already been accused of having a half-assed approach to security in order to appease government agencies. It's a pity that there's no widely available encrypted voice applications. A decade ago when the nerd community was toying with PGPfone, it seemed like widespread encrypted telephony was right around the corner. Ekiga announced encryption for the 3.0 release, but then quietly buried those plans, and as nice as it is to have easy encryption in Pidgin, the app remains limited to text chat.

    2. Re:Believe it or not by Wowsers · · Score: 4, Insightful

      Luckily* for Linux and Skype users, Skype hasn't been updated in about 2 years, and definitely no 64 bit version. So the vulnerability will be there for who knows how long until Skype (or is it eBay) gets their finger out of their backside and gives Linux/Skype users a better deal.

      * Being sarcastic

      --
      Take Nobody's Word For It.
  3. Unsurprising by Alcoholist · · Score: 4, Insightful

    Anyone expecting privacy on these systems is a fool. It's not like either of these companies is regulated in any way, to say nothing of the fact they provide their services over the Internet which you only have read /. for a day to know is not secure.

    --
    Bibo Ergo Sum.
    1. Re:Unsurprising by Samschnooks · · Score: 5, Funny

      Anyone expecting privacy on these systems is a fool. It's not like either of these companies is regulated in any way, to say nothing of the fact they provide their services over the Internet which you only have read /. for a day to know is not secure.

      Exactly. The same goes for traditional cell service. Why just the other day, I was in the grocery store and someone was yacking away about some big business deal in the bread isle. I sat there "shopping" while this guy was talking about financing, etc, etc, etc...

      Then, I moved over to the soda isle, this young chicky apparently was having boyfriend troubles and I offered to help but she got all indignant and looks at me like I was a perv or something.

      Then, over in the fish isle, this middle aged guy was trying to figure out if he should get the Salmon or the Trout and asking his wife, I think, which should he get. I told him the Trout. Great stuff. Again the funny looks! I don't get it?

      The bread isle, this person was pushing their cart talking away and I answered - god I hate those blue tooths! Same thing - weird looks!

      I won't tell you about the guy on the street talking really loudly but without and Bluetooth or Cell - he asked me for money.

      What was this again about privacy and phone calls? I forgot what we're talking about.

  4. Nerdy solution by Wowsers · · Score: 4, Funny

    For a minute there I thought there was a problem, but nerds have no friends so nobody calls you on Skype anyway.

    --
    Take Nobody's Word For It.
  5. Cloud apps improve security by Alascom · · Score: 5, Insightful

    Once again, we see that cloud apps like Google's Grandcentral have a real benefit to security, despite the sensationalist scare mongering.

    When a bug in a cloud based application is identified, it can be patched quickly, in a single location, and the bug disappears. The same cannot be said of locally installed apps (exchange servers, etc) that take years for companies and administrators to eventually get the patches installed.